Tradecraft: Steganography and Covert Communications

April 14, 2021

Michael Ellmer




Steganography is a tradecraft method used to conceal messages in plain sight. This article surveys the concept from its historical beginnings, differences from cryptography, methodology, and a case study highlighting its use by the Al Qaeda organization.




Historical Context


Steganography is not an avant-garde tradecraft practice. Within the confines of its contemporary forms, steganographic concealing has advanced in tandem with the technological advancements of the cyber era.  


As the tale goes, a 5th century Greek by the name Histaiacus used a primitive form of steganography to relay a message into Persia, his enemy’s territory. One of his slaves shaved their head and was tattooed on the scalp with a message calling for the formation of a grass-roots insurgency against the Persian king. Once the slave’s hair regrew, he traversed across the Persian border and found the recipient of the message, who then shaved his head to read it.   


Further along in time, a 17th century German Benedictine abbot named Johannes Trithemius published the Steganographia, which humorously defines the craft as “The sure art of disclosing the intention of one’s mind to those who are absent through secret writing”.


Trithemius starts this text by saying, “It is the opinion of the learned that whenever the ancient sages, whom in the Greek language we call Philosophers, discovered any secret of art or nature, they concealed it through various modes and figures lest the knowledge of it should fall into the hands of the wicked. That even Moses, the famed leader of the Israelite race, in his description of the creation of Heaven and Earth, concealed with simple words the ineffable arcana of these mysteries, all the scholars of the Jews confirm.”


Invisible ink is another primitive example that was used in World War II, where special chemicals were used to write a message on a piece of ordinary source material, such as an unsuspecting letter.  Inferences can be drawn from these examples that allude to the modus operandi of steganography: concealing messages, except with a twist…



Steganography v Cryptography


Steganography stems from the Greek word steganos which translates to “covered” or “reticent”. It can be easily mistaken for cryptography due to the baseline similarities between both concepts (a method of concealing a message).  


Cryptography deviates from steganography in terms of the way the message is presented – altered and not in its organic form. In the former, there is generally some sort of encryption used that requires a specific key on the end of the recipient in order to decipher the message. An early example of this comes courtesy of the late mathematician Alan Turing, who was instrumental in the development of the Bombe, a World War II era machine that cracked the Nazi’s Enigma code. Contemporarily speaking, Pretty Good Privacy (PGP) encryption is a cryptographical technique that is used by secure mail services like ProtonMail, and for communication between vendors and buyers in dark web marketplaces.  


In Steganography, the source message is not altered. Instead, through various techniques, the message is “hidden in plain sight”. Like cryptography, steganography is a concept and not a specific technique. Underneath its umbrella is a wide array of steganographic methods, ranging from physical to digital, with the latter being the most generationally relevant.


Of course, comparing the two is not quite as black and white as it may seem. There can be overlap, as noted by Peter Wayner in his book Disappearing Cryptography. Wayner writes,


“Drawing a line between the two is both arbitrary and dangerously confusing. Most good cryptographic tools also produce data that looks almost perfectly random. You might say that they are trying to hide the information by disguising it as random noise. On the other hand, many steganographic algorithms are not trivial to break even after you learn that there is hidden data to find. Placing an algorithm in one camp often means forgetting why it could exist in the other”.






Steganography has evolved over time from the early days of shaved heads and invisible ink. In its modern form, digital techniques are king. Digital watermarks are one of these methods, especially in the business sector. Intellectual property theft and corporate espionage is a realistic threat, and watermarks help mitigate that in some capacity, like the watermarks found on state currency bills that prevent counterfeiting. In layman terms, digital watermarking consists of overlaying some sort of image or piece of information over the primary message, generally by using some sort of specialized software. If the watermark is altered or removed, the message is destroyed.


Dead drops are an entirely different tradecraft discipline but can be used in a steganographic way in covert operations, aka a “digital dead drop”. According to Eric Cole in his book Hiding in Plain Sight, a spy can create a file with the intended message, and upload it to “newsgroups, bulletin boards, or FTP sites that exist across the internet”. The recipient would then download the message straight from that location. This leaves ample room for creativity, especially with the endless amount of possible host websites, some more niche than others which adds to the randomness if an external actor is surveilling the messenger or recipient.


Digital dead drops have been used within the past decade, particularly by Russian agents working within the United States on behalf of the Kremlin. According to a 2010 FBI lawsuit, the Russian actors that were subject of the investigation were reported to have used steganographic software unique to Moscow in order “to insert encrypted data in images that are located on publicly-available websites without the data being visible”.


Likewise, a study by the Annual ADFSL Conference on Digital Forensics, Security and Law found that criminals and terrorists have used the XBOX 360 gaming console as a steganographic tool.


According to Cole, there are three core principles that can be used when gauging the effectiveness of a steganographic technique:


  • Amount of data – “the more data you can hide, the better the technique.”

  • The difficulty of detection – “how easy it is for someone to detect that a message has been hidden.”

  • The difficulty of removal – “the principle that someone intercepting your file should not be able to remove the hidden data easily.”


Furthermore, there are three primary groups of steganography that the various techniques can be catalogued under:


  • Insertion-Based – These techniques “insert” the message or data into a file, particularly in small bits. If done correctly, the message should not have any noticeable effect on the source file.

  • Algorithmic-Based – Algorithms are an essential part of modern technology and computing. Within this category, a computer-generated algorithm determines where the message should be concealed on the host file. A possible pitfall in these methods is the degradation of the host file.

  • Grammar-Based – This method is rather simple in theory. According to Cole, “if you wanted a piece of text to sound like the Washington Post classified section, you could gather a large amount of source material from the classified section and render statistical patterns. The patterns would make it possible to mimic the output (the classified ad section). This method can be used to circumvent analytical software.




Case Study: Steganography & Al Qaeda


The primary data and reporting are a bit shaky, but there have been a few notable instances of steganography use within terrorist organizations and non-state criminal enterprises.


According to CNN, in 2012 an Austrian named Maqsood Lodin was apprehended by authorities in Berlin and interrogated due to ties with the Salafi-jihadist movement and a recent stay in Pakistan. Upon searching Lodin, his interrogators discovered multiple digital storage devices. On those devices were two pornographic films titled “Kick Ass” and “Sexy Tanja”.


A few weeks later, forensic analysis determined that there was more to the files than carnal pleasures for personal use. It turns out that the host files were used to conceal a substantial amount of raw intelligence about Al Qaeda operations, including details on future plots and operations, terrorism training manuals, and a total of over 100 documents. An intelligence source told CNN it was one of the most significant finds since the intelligence derived from the 2011 Bin Laden raid.




Image: Portswigger (link)


Related Post